Skip To Content
Lexitas Launches Record Insights™: An AI-Enabled Chronological Summary of Medical Records Learn more

HIPAA & Law Firm Liability


Record Retrieval

Understanding HIPAA Compliance For Law Firms

Third-Party Service Providers & Law Firm Liability

Law firms routinely work with sensitive information and it's common practice to implement security procedures to guard said information. Preventing unwanted exposure of sensitive information or data protects a firm’s clients, the firm’s reputation, and ultimately their business. When it comes to personal health information, however, firms can unknowingly be exposed to financial risks not because of their security policies but because of the policies used by outsourced service providers. Working with reputable third-party service providers and understanding their policies and practices helps firms reduce their liability and maintain their reputation.

In this whitepaper we explore HIPAA and how it applies to law firms, how third-party service providers can lead firms to become liable under HIPAA, and finally best practices law firms can act on to protect themselves from violations and penalties. 

Included in this whitepaper

HIPAA Background Information

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) created national standards protecting confidential health information from being disclosed without patient consent. With the passage of HITECH in 2009, law firms working on behalf of covered entities are now required to implement the same privacy and security requirements as the covered entities they serve.

HIPAA & Subcontractors

The HIPAA Omnibus Rule of January 2013 clarified requirements and made business associates of covered entities, as well as their subcontractors, directly liable for compliance with HIPAA’s Privacy and Security rules. This change increases firms’ exposure to HIPAA penalties by making them potentially liable for breaches caused by any outside service provider that handles PHI.

How Law Firms Become Liable Under HIPAA

With the expansion of HIPAA, business associates (law firms) became directly liable for violations. In this section we examine Business Associate Agreements (BAA) and how if not implemented correctly, law firms can be liable for service provider violations.

HIPAA Penalties

Penalties for violating HIPAA result in substantial fines ranging from only $100 to $1.5 million. We examine the four tiers for HIPAA violations, the difference between them and the penalties for each. 

Vetting Service Providers

Law firms that do not thoroughly do their due diligence can be held liable for PHI breaches resulting from their service providers. In this final chapter, we define how to perform proper due diligence and which questions to keep in mind when vetting a service provider.
Author Image

Brandy Patrick

Records Division President

Brandy Patrick is the President of the Record Retrieval Division of Lexitas. Ms. Patrick has over 17 years of experience in sales, operations, and mergers & acquisitions. Ms. Patrick is a thought leader in the industry, providing deep knowledge of HIPAA and the complex laws impacting record retrieval. Prior to her current role, Ms. Patrick was President of America First Legal Services, a premium record retrieval company acquired by Lexitas.


Cookie Consent

We use cookies to improve user experience and analyze website traffic. By clicking “Accept,” you agree to our website’s cookies use as described in our Privacy Policy. You can manage your cookie settings at any time within your browser preferences.